Do you know why "Microsoft Code Verification Root" would be missing from a signing certificate chain?
We recently moved a build system between two domains and had to re-install certs. We found that we had a signing problem where Microsoft wasn't in the chain causing kernel driver rejection during install.
We noticed that we had 2 additional certs in certmgr : Trusted Publisher : Certificates
After disabling Class 3 Public Primary Certification the "problem" went away and we have the proper signing chain with Microsoft on top.
I'm not sure how Class 3 Public Primary Certification was installed or what we using it and am testing to see what impacts we might face.
Has anyone run into this kind of problem and how did they approach it? Is there a way to disable the use of the class-3 on the command line so I can leave the certmgr setting alone thereby reducing risk ?
Thanks for the help
Peter
Sign Command
signtool.exe sign /v /ac MSCV-VSClass3.cer /s TrustedPublisher /n "My Corp" /t http://timestamp.verisign.com/scripts/timstamp.dll mydriver.sys
Sign Verification signtool verify /kp /v mydriver.sys
*** Signing Certificate Chain:
*** Issued to: Class 3 Public Primary Certification Authority
*** Issued by: Class 3 Public Primary Certification Authority
*** Expires: 8/2/2028 7:59:59 PM
*** SHA1 hash: xxxxxxxxxxxxxxxxxx
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: 5/20/2019 7:59:59 PM
SHA1 hash: xxxxxxxxxxxxxxxxxx
Issued to: My Corp
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: 9/10/2013 8:59:59 PM
SHA1 hash: xxxxxxxxxxxxxxxxxx
In theory, I can install the cross-sign cert from verisign that matches my cert into a cert store and signtool will automatically use it. However, this can lead to the wrong cert being used to cross sign.
Being explicit is better
SignTool.exe sign /v /s trustedpublisher /ac path-to-retrieved-cert\MSCV-VSClass3.cer /n myCertName /t http://timestamp.verisign.com/scripts/timestamp.dll driver-file-to-sign
SignTool.exe verify /kp /v drive-file-to-check
or if you have a catalog file
SignTool.exe verify /kp /v /c driver-cat-file.cat drive-sys-file.sys
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With